We have the tool named ERR.exe which has the Win32 headers and privates for products that we ship. We used to ship the ERR.exe tool in “Windows Server 2003 Resource Kit” If you are a developer or use Visual Studio, in the Visual Studio Tools, there is a GUI version of the tool called ERRLOOKUP.exe.

There will be a folder called “Err” and inside of it, the err.exe tool.

I personally, like to copy the err.exe tool to c:\windows\system32, so that I won’t have to enter the path from the command line, since c:\windows\system32 is in the Path of the “Environment Variable”.

What type of information can I get out of this tool?

You are able to see which NTStatus header files the tool looks thru, and the components, which are the base Windows O.S. components, used by any application that has to run on top.

Usage:

For example, let’s find out what a 0x00000005 is actually.

Open a command prompt (cmd.exe) and type:

Err.exe 0x00000005

So you end up with 39 matches.

Ok, so which one applies to you? Depending on the component you are troubleshooting, you will choose that particular component.

For example, for most Windows administrators, we are going to be looking for winerror.h or ntstatus.h

In Windows XP and Windows Server 2003, what I noticed is that admin’s will click on the “For more information, see Help and Support Center at …” which leads to nowhere… =) and disregard the “Data:” section, since it shows values in “Bytes” which looks like just some hex numbers:

If you click on “Words”, we could see a hex value of “c0001066”

In this example, we get an error message that we already knew, but really, the information contained here is a gold mine, when you are troubleshooting a problem.

Here is an example of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, in the event log, one of my VM’s was getting the following error message:

Log Name: System

Source: Server

Date: 10/6/2012 7:03:03 AM

Event ID: 2505

Level: Error

Description:

The server could not bind to the transport \Device\NetBT_Tcpip_{6AB7579E-2A1E-41C5-8AF4-E028EF4D3D20} because another computer on the network has the same name. The server could not start.

If I click on the “Details” tab, I’m able to go to the “Binary data:” and look at the “Words” value.

In this case 0000034 which is 0x0000034

Typing “err.exe 34”, I’m able to get the following info:

Looking at the “winerror.h, I’m able to see multiple winerror.h, so I need to gauge what applies to the issue that I’m troubleshooting.

In this case, I knew the event log error was regarding “duplicate name exists on the network”.